1. Technical Field
This disclosure relates generally to identity management in a distributed computing environment.
2. Background of the Related Art
A shared (or “sharing”) account is an Information Technology (IT) login credential shared among a group of users. Typically, a shared account is in limited supply or is used as a common credential to which a group of people require access (such as a helpdesk). Access to the shared account is via a common credential shared among a set of users that have authorized access to the shared account. Provisioning and revocation of the shared credential often proves to be a manual, costly and problematic endeavor. This is largely because the shared account credential is distributed to all authorized shared account users in clear text. This makes auditing of the shared account particularly difficult, as many users have access to the account, and there is no easy way of tracking which user performs which action with respect to the account. In addition, there is a risk that a given user will distribute the shared account information to unauthorized users. Moreover, to revoke access for a particular user, the account credentials must be changed on the shared account as a whole, and then a new account credential re-distributed to all authorized share account users.
An additional problem concerns account delegation, where it is required that user delegates the use of an account to another, typically for a period of time. A typical use scenario is when a user must take a leave of absence, in which case account delegation allows a user to delegate a single account to one of a group of authorized users. Current identity management solutions do not allow for delegation of a single account to another person, but rather only allow for delegation of identity-related operations (e.g., workflow approvals).
Current identity management systems can facilitate the provisioning of shared account credentials. In both the shared account and delegated account cases, however, a significant drawback to such systems is that all shared account users have access to a clear text password. Additionally, the shared account users themselves typically have authorization to modify this password. In the case of shared accounts, this can result in revocation of access for other authorized users.